Hackers Hit ‘Some’ Cisco Customers With Leaked NSA Hacking Tools

Unknown hackers have used NSA hacking tools released online last month to breach some targets using firewalls, switches and routers made by Cisco Systems, according to the tech company.

This is apparently the first real-world cyberattack leveraging an unknown vulnerability that was in the arsenal of the NSA elite hacking team for years until a mysterious group calling itself The Shadow Brokers dumped several of those NSA tools on the internet.

Cisco is “aware of exploitation of the vulnerability for some Cisco customers who are running the affected platforms,” the company said in a security advisory released on Friday. These attacks leveraged a vulnerability in the way some Cisco devices handle encryption, allowing hackers to extract data stored in memory and access “confidential information” by simply sending a specially crafted packet to the target device.

It’s unclear who exactly got hacked or spied upon in these attacks, as Cisco did not reveal any details in the advisory and declined to provide more specifics to Motherboard, citing a policy not to disclose customer information. The company said it will release patches soon but has decided to disclose the flaws now given that there was some public awareness of it.

“If a new vulnerability is found, we disclose it in line with our well-established processes, and that is what we did here,” a Cisco spokesperson said in a statement.

“How far does this rabbit hole go?”

The new vulnerability—technically known as CVE-2016-6415—discovered by Cisco and used in these attacks affects several devices running Cisco’s IOS operating system, and that use a protocol called IKEv1 to set up a secure connection. This protocol can be used for firewalls, to provide virtual private networks, and even manage industrial control system devices, according to experts.

Cisco already warned of two other exploits found in The Shadow Brokers dump weeks ago, and this new one might not be the last.

“How far does this rabbit hole go?” Michael Toecker, who specializes in infrastructure security, told Motherboard, explaining that this exploit affects “a large chunk of their product line.”

Toecker, who is a control systems engineer and consultant for Context Industrial Security, is especially worried about critical control systems, which often use Cisco VPN products to troubleshoot and maintain important facilities, according to him. Especially after the cyberattack on the power grid in Ukraine, he said, “this isn’t something owners and vendors can ignore, remote access to ICS is nothing to take lightly.”

A similar flaw affecting legacy Cisco PIX firewalls was found weeks ago after the dump by The Shadow Brokers in August. At the time, a security researcher was able to demonstrate that an NSA tool dubbed BENIGNCERTAIN could be used to grab VPN passwords in some Cisco products, and a professor at New York University set up a honeypot to see if anyone was trying to perform another attack based on leaked exploits. The professor reportedly caught an attack within 24 hours.

As it turns out, honeypots were not the only targets getting hacked. And even a full month after the 300MB of hacking tools stolen from the NSA’s Tailored Access operations team, also dubbed as Equation Group, we might still be far away from knowing the extent of the damage done by the mysterious leakers.